/
Cyber Resilience

Take These 3 Next Steps If Your Government Agency is Building Zero Trust

It's clear to me that Zero Trust has moved from being a new idea to a common practice, especially in the federal government. Agencies understand what Zero Trust is and are working to include it in their cybersecurity plans.  

This is a big change from a few years ago when many agencies were still learning about Zero Trust and why it matters.

The adoption of Zero Trust in government is good to see, but security initiatives shouldn’t stop there. In this blog post, I share my thoughts on the next steps agencies and commands should be taking on their Zero Trust journeys.

How did Zero Trust become mainstream in the federal government?

The move toward Zero Trust in the federal sector reflects a larger trend happening in many industries. This change is mostly because of increased awareness and mandates such as:

The large amount of education and information available has made Zero Trust a key part of federal cybersecurity plans. Agencies now have a clear guide for using Zero Trust, which makes it easier to add to their security systems.

This widespread use is not just in the government. Businesses have also started using Zero Trust. According to Forrester's Security Survey, 2023:  

  • 72% of security leaders at enterprise organizations (1,000 or more employees) are planning to or already starting a Zero Trust program.
  • 78% have already invested resources into a Zero Trust security plan.  

This important shift toward Zero Trust shows a big change in cybersecurity. Instead of just trying to detect and prevent attacks, Zero Trust assumes breaches will happen and proactively prepares to stop them from spreading.  

Black and white columns, American flag, and Capital Building

3 next steps for agencies building Zero Trust

Now that Zero Trust is widely accepted, agencies need to focus on what comes next in their Zero Trust journey. Here are the main things to concentrate on:

1. Build microsegmentation

You can’t do Zero Trust without microsegmentation, also called Zero Trust Segmentation (ZTS). While microsegmentation has been seen as a more advanced security measure, it's now seen as a Zero Trust basic that everyone needs to do.

Relying on traditional security methods to protect your network isn't good enough anymore.

Microsegmentation breaks a network into small, separate parts to stop breaches from spreading through the network. This keeps your most critical data and applications safe while making it harder for attackers to cause disruption.  

2. Automate as much as possible

As networks and organizations get more complicated, it's clear that we need cybersecurity automation more than ever. Doing things by hand just can't keep up with all the new threats and the many tasks needed to keep everything safe.

Automation helps to solve several important problems:

  • Network complexity: Today's networks are large and complex, making it hard to handle security manually. Automation helps organizations put consistent security rules in place across every environment.
  • Skills gap: Research by the The World Economic Forum has found a shortfall of 3.4 million cybersecurity experts. It's clear that there's a growing cybersecurity skills shortage. Automation helps bridge the skills gap by doing routine jobs, freeing up security teams to focus on more complex issues.
  • Human error: Manual processes leave you open to security errors. Automation lowers this risk by limiting the number of manual work in the network. Tools like AI can help build security with less mistakes.

The move to a “shift-left” approach means more DevSecOps teams are building security first during a project. By adding automation to the start of development, organizations can avoid problems and wasted time that come from adding security later on. This way of working helps make security stronger and better able to handle challenges.

3. Consolidate security tools and decision-making

As cyber threats get smarter, agencies are consolidating their security tools and strategies. This consolidation is driven by the need for consistency, affordability, and better resource utilization. By making security a higher-level decision, organizations can streamline their efforts and improve overall security.

While I was the CIO at the Office of the Inspector General for the U.S. Postal Service, I worked with the team to move to a consolidated security decision-making model. While these kinds of changes aren’t easy, they allow you to use resources more effectively, reduce complexity, and further enhance their security posture.

2 things to watch out for during your Zero Trust journey

Starting a Zero Trust journey can improve your organization's cybersecurity. But there are some important challenges to be aware of. These are two key issues you should watch out for to make sure your work on a Zero Trust plan goes smoothly.

1. Too much focus on identity security

At one point, cyber experts thought that if they could just get identity protection right, you'd solve most security problems. This was 30 years ago, and the number of breaches continues to grow. Something isn’t working. While identity is still an important pillar of Zero Trust, it’s clear by now that identity isn’t the best answer to stopping cyberattacks.

I think the reason identity security has become so popular is because it's easy to understand and get cross-functional buy-in. But just because it's simple doesn't mean it's the best way to keep networks and data safe.  

It’s important that we focus just as much – if not more – on network security. John Kindervag often describes networks as having a strong shell but being a liquid mess on the inside. Without breach containment technologies like microsegmentation, there’s no way to stop malware that gets past identity tools.

2. Letting perfect be the enemy of good

There needs to be a major mindset shift about security ownership. And this isn’t just for the public sector – this is widespread.

We can't expect today’s security to be perfect. Breaches will happen, and we need to be prepared to reduce their effect on our operations.

We can’t blame the security team for every cyber problem. Everyone in a company needs to take responsibility for cybersecurity, not just one team or executive. This change in thinking is really important to make security a priority that everyone cares about.

Black and white man running in front of the Capital Building

The future of federal government cybersecurity

Zero Trust is a journey, not a destination. As cybersecurity keeps changing, it's crucial for agencies and commands to make sure they’re planning and prepared for the future.

Bringing these strategies together will help agencies handle cybersecurity challenges better. It's important to regularly update and adapt these strategies to stay ahead of new cyber threats and keep data safe.

Get in touch today with our federal cybersecurity experts to learn how Illumio can help build your Zero Trust initiative.

Related topics

Related articles

Optimising your Essential Eight Vulnerability Management Efforts
Cyber Resilience

Optimising your Essential Eight Vulnerability Management Efforts

Disparate interconnected systems and now remote employees across the globe increase our exposure and opportunity for cybercrime.

Illumio Authorized as a CVE Numbering Authority (CNA)
Cyber Resilience

Illumio Authorized as a CVE Numbering Authority (CNA)

Learn how Illumio’s CNA designation helps us better protect our customers.

Our Favorite Zero Trust Stories from February 2024
Cyber Resilience

Our Favorite Zero Trust Stories from February 2024

Get a few of the datapoints, Q&As, and stories on progressing your Zero Trust initiatives that we found most insightful this month.

John Kindervag's 3 Zero Trust Truths for Government Agencies
Cyber Resilience

John Kindervag's 3 Zero Trust Truths for Government Agencies

Get insight from John Kindervag on the key Zero Trust truths government agencies need to know as they comply with Zero Trust mandates.

6 Expert Recommendations on Zero Trust for Government Agencies
Cyber Resilience

6 Expert Recommendations on Zero Trust for Government Agencies

Get the 6 key recommendations from the recent GovExec webinar on implementing Zero Trust and application segmentation.

10 Reasons State and Local Governments Should Implement Zero Trust Segmentation
Zero Trust Segmentation

10 Reasons State and Local Governments Should Implement Zero Trust Segmentation

Learn how state and local governments can leverage microsegmentation to secure their critical data, assets, and systems.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?